Snort mailing list archives
Re: Quick rule question
From: Mike Cox <mike.cox52 () gmail com>
Date: Fri, 19 Oct 2012 09:59:52 -0500
Haha, Joel beat me to it while I was typing a response and our responses are eerily similar and basically the same thing (the snort stuff is exact which is even more weird since we escaped certain things and used the same raw specifications in the content matchs). -Mike Cox a.k.a. "Joel Jr." L21lIGJlaW5nIGdyb29tZWQgZm9yIEpvZWwncyBqb2IgYnV0IGRvbid0IHRlbGwgaGltIHBsZWFzZQ== QW0gSSBhIFNvdXJjZWZpcmUgaW50ZXJuPw== T3IgYW0gSSBhbiBhbHRlciBlZ28/ICBJIGhvcGUgeW91IGRpZG4ndCBkZWNvZGUgdGhpcy4uLi4= On Fri, Oct 19, 2012 at 9:49 AM, Mike Cox <mike.cox52 () gmail com> wrote:
content:".htm"; content:"|22|"; distance:0; within:2; pcre:"/\.html?\x22/"; Obviously this is inefficient without other matching criteria .. what and and where are you trying to match on exactly? -Mike Cox On Fri, Oct 19, 2012 at 9:24 AM, James Lay <jlay () slave-tothe-box net>wrote:Hey all, Quick question...trying to match: .htm" OR .html" my content can be htm and that's fine, but I need to make sure to have the end quote at the end. Thanks all. James ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Quick rule question James Lay (Oct 19)
- Re: Quick rule question Joel Esler (Oct 19)
- Re: Quick rule question James Lay (Oct 19)
- Re: Quick rule question Joel Esler (Oct 19)
- Re: Quick rule question James Lay (Oct 19)
- Re: Quick rule question James Lay (Oct 19)
- Re: Quick rule question Joel Esler (Oct 19)
- Re: Quick rule question Mike Cox (Oct 19)
- Re: Quick rule question Mike Cox (Oct 19)